If this is your first visit, be sure to
check out the Forum Rules by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

denial of service = gmail compromise?

If this is in the wrong forum, I apologize.
Over the last few weeks, I noticed a drop in my connection, which I didn't think anything of, until recently. So, I decided to run etherape during the last few dropouts, and it lit up like a christmas tree. I was being connected to by IPs from all over the world in a few seconds.

Well, this evening, my gmail was hacked. From what I can tell, it was only for 8 minutes, but it was enough time for some kind of spambot to hit my address book. I'm thinking that my firefox profile was compromised, but to tell the truth, I'm a little out of my depth. I'm running linux, if that helps you experts out any.

My question is: wtf? does this sound like anything anyone here is familiar with? Is there any way to gauge how bad I'm screwed? I must have a billion logins, and I'd really hate to track down and change everything.... Not to mention, how do I seal this up?

Re: denial of service = gmail compromise?

This is definitely not the right forum because (a) it has nothing to do with backtrack and (b) its not even close to an expert topic... but I'm in a helpful mood, and bored, so I'll offer my thoughts. First off prevent future attacks by changing all your passwords, and make sure your system is secure. Info on your operating system(Ubuntu? version?), connection type(wireless?), and services running(file sharing, remote desktop?) would help me suggest security measures to implement. I can't think of any connection between a ddos(which it seems you're suggesting, but connections from all over the world are more likely do to file sharing in my opinion) and a system compromise. The fact that spam was sent from your account(I'm assuming) to all your contacts sounds like come sort of malware to me since an individual attacking your system would have little to gain by spamming your buddies. Send me a private message containing your IP address if you would like me to do a quick scan to see if you have any obvious vulnerabilities. Or better yet, download Backtrack and attempt the scan yourself if you have confidence in your linux skills.

Re: denial of service = gmail compromise?

First of all Id ask if you have experience in interpreting the results of Etherape. Are you sure all those IPs were connecting to you and not the other way around? Do you have a listening service on your system for them to connect to, because if you don't then there is no way for this to happen. And if you do... why are you offering up listening services to the Internet? Get your firewall rules sorted, and check to make sure someone else hasn't started a listening service on your system on your behalf... for guidance, SANs have some good intruder checklists you should check out.

Regards the GMail thing - have you accessed your GMail account from an untrusted computer, or clicked a link in a strange email and then been prompted for your Gmail username and password? Do you follow safe browsing practices? If you use Linux and only Linux and don't do things like leaving ssh open to the world its unlikely you have been caught by a password stealing trojan or other direct compromise of your PC and more likely that you have fallen victim to some web based attack like XSS, XSRF, phishing, etc. If you've ever accessed your GMail account from a Windows box that isn't managed in an incredibly secure fashion Id say that it was probably "trojaned up" and that is the most likely cause of your compromised account. And when I say "incredibly secure" I mean NOT like how about 80% of the world, including most businesses, run their Windows PCs.

As mentioned above, some sort of mass pwnage scenario is most likely given the nature of the attack (spamming). Spamming is pretty unlikely to be the result of a manual break in, and much more likely to be a symptom of automated malware of some sort.

However it happened though your best response is to just change your passwords and start computing securely. Theres no reasonable way for someone to properly determine whats gone on in your case without direct access and a fair amount of skill, so all you can do is just clean up and concentrate on making your system defensible against future attacks.

Last edited by lupin; 06-16-2010 at 12:31 PM.
Reason: Writing like a spaz today...

Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

Re: denial of service = gmail compromise?

I do have some open ports, for certain applications, and yes ssh is one of them. My bad. but here's the thing; I don't open any email that isn't from someone I know, and I only run linux at home. At work, let's just say its probably as secure as a windows box can be. What I didn't realize, is that apparently Trojans work in wine. I had no idea, and never really bothered to be careful with windows stuff. After the initial break in, I wiped out all of my hidden home directories, and reformatted, and so far, that seems to have done the trick. Since I had no idea how bad it was, I just deleted everything suspicious, so I guess I'll never know what the source was. I don't even know if what I was seeing with my internet drops was related to the gmail compromise.

I've scanned my ports a few times, but do I really have to seal everything up? I actually use ssh. Now when I say that they're open, I mean forwarded. I don't know if that actually translates to real open ports on my box.

Re: denial of service = gmail compromise?

Originally Posted by ndrwgn

I've scanned my ports a few times, but do I really have to seal everything up? I actually use ssh. Now when I say that they're open, I mean forwarded. I don't know if that actually translates to real open ports on my box.

Forwarded/open - same difference. It still allows remote access to the service running on that port.

ssh isn't too bad, as long as you are not running a vulnerable version and you can deal with automated password guessing attempts (account lockouts, detection and blocking of bad IP addresses, etc). You may want to forward it from a different port (not 22), use a good password and allow ssh access only to non obvious account names to fool the dumber scanners.

Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".